Share via

Key Vaults Secrets/Key Expiration

Rahul 21 Reputation points
2022-03-10T12:30:59.757+00:00

Hello, I wanted to ask what the endpoint is to retrieve the expiration of secrets and keys and how to retrieve them.. 

def get_token():
    r = requests.post("https://login.microsoftonline.com/TenantID/oauth2/token",data={"grant_type": "client_credentials", "client_secret": "xxxxxxxxxx ","client_id": "xxxxxxxxx", "resource": "https://management.azure.com"})
    ret_body = r.json()
    return ret_body['access_token']

token = get_token()
headers = {'Authorization': 'Bearer ' + token}
conn = http.client.HTTPSConnection('management.azure.com')
conn.request("GET", '/subscriptions/xxxxx/providers/Microsoft.KeyVault/vaults?api-version=2019-09-01', "", headers)
response = conn.getresponse()
key_data = response.read()
key_data = key_data.decode('utf-8')
key_data = json.loads(key_data)
#print(key_data)

I used this code and endpoint mentioned above as it was given on cloudsploit. The endpoints for key and secrets however are {vaultUri}keys?api-version=7.0 and {vaultUri}secrets?api-version=7.0 respectively. Since im working for the client, I cant mention the name of secret or key while calling them using an endpoint. How do I retrieve them then? Please do Help.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,721 Reputation points
    2022-03-13T19:44:08.82+00:00

    Thanks for reaching out.

    You must specify each keys vault names in URI (let say: "GET", "/" + https://keyvaults["Vault_Uri"] + "keys?api-version=7.0" or "GET", "/" + https://keyvaults["Vault_Uri"] + "secrets?api-version=7.0" ) to retrieve expiry dates of respective keys and secrets because these information are part of the data plane which allows you to work with the data stored in a key vault. Hence, you can't use management plane endpoint "GET", '/subscriptions/xxxxx/providers/Microsoft.KeyVault/vaults?api-version=2019-09-01' to retrieve information about data stored in Azure KeyVault.

    To learn more about different type of key vault plane, refer: https://learn.microsoft.com/en-us/answers/questions/25726/what-is-management-and-data-plane-in-azure-key-vau.html

    Therefore, you need to get all key vault name created in your subscription and load them into some variable then you can retrieve expiry date of keys and secrets accordingly. In case if you can't retrieve Key Vault name from variable then you could think so using alternative approach of enabling Azure Key vault logging to monitor Microsoft.KeyVault.SecretNearExpiry to get notification using Azure automation (Event grid) or Logic App as explained below:

    Azure Key Vault logging: https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault
    Creating a Logic App to remind Key Vault key Expiry: https://learn.microsoft.com/en-us/answers/questions/398632/creating-a-logic-app-to-remind-key-vault-key-expir.html

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.